A modern cybersecurity strategy: Building a cybersecurity plan

By Sheldon Shaw, Cyberanalytics Specialist, SAS

In my previous article, I introduced you to an effective way to modernize your cybersecurity program through budget expenditures. In this article, I’ll discuss how to develop another foundational component of the strategy: the cybersecurity plan.

The cybersecurity plan’s foundation

An effective cybersecurity plan can be built in-house or with the help of outside consultants. If you prefer to do it in-house, you should select security staff members experienced in cyber policy creation. Assigning the task to experienced personnel will save time spent rewriting an ineffective cybersecurity plan later. Additionally, you should find people comfortable with engaging other functional areas and building consensus. Otherwise, development and implementation of your cybersecurity plan could get mired in internal politics.

Making the upfront investment in staffing, central logging strategy and analytics will surely provide a sound foundation for subsequent security modernization efforts.

Once you’ve chosen your staff, you should allocate six months for cybersecurity plan development with stakeholder engagement throughout the process. Cybersecurity plans are all too often created in secrecy, leaving employees unengaged and continuously trying to understand the motivation behind them.

The framework of the cybersecurity plan should cover three areas: human resources, finance and audit. These areas allow for consequences, remedial action and oversight of the security process. Creating overly restrictive (or permissive) policies can reduce cybersecurity plans to a culture of avoidance rather than standard practice.

Upon completion, a security open house can kick off communication of the cybersecurity plan across your organization with the goal of widespread acceptance.

Your cybersecurity plan’s framework

Within the cybersecurity plan’s framework, you’ll need a central logging strategy. For this, you must identify:

Who can analyze log data?

What systems process log files?

Where and for how long is log data stored?

The log data should aid the investigation. Don’t be fooled into thinking that modernization means only dumping data into a security data lake. Simply collecting and storing large amounts of log data is not an effective security strategy; it only provides a small measure of insurance against the eventuality of an attack.

The reality is often this: Attackers manipulate log files. More often, the log files provide inconclusive evidence or point investigators in a false direction. A modern, central logging strategy is not about long-term data storage; instead it needs to embrace security analytics with real-time data fusion. Truly strategic security leaders are embracing novel storage routines, as well, enabling other types of analytics – such as those for system and application quality assurance – to use the log data through appropriate privacy handling.

Executing your plan

Whether you create your cybersecurity plan yourself or work with external consultants, it will take time and a concerted effort. But making the upfront investment in staffing, central logging strategy and analytics will surely provide a sound foundation for subsequent security modernization efforts.

And now that I’ve talked about budgeting and planning your cyber strategy modernization, my cyberanalytics colleague, Mike Funk and I have identified six practical steps you can implement in execution of your modernization plan:

Provide only the minimum level of system privileges needed for any user to do their job.

Mandate the use of strong credentials (two-factor authentication, strong-passwords, etc.).

Block e-mail attachment types that have been identified to distribute malware – such as executable files – and inspect the payload of all incoming e-mail traffic.

Quickly patch and hotfix all operating systems and applications with the latest security updates.

Ensure you have (or have access to) a current inventory of all IT hardware, software and users with their credentials.

Regularly use proven cyber security tools to test your systems and processes to identify vulnerabilities and remediate any issues found.

Sheldon Shaw is a cyberanalytics specialist with SAS. Having spent 15 years in the intelligence community, Shaw worked in nuclear counter-proliferation issues and information operations. He has also managed investigative teams that tracked national security intrusions into government systems. He is a Certified Intrusion Analyst and holds a degree from Acadia University.